| Deutsch English Français Italiano |
|
<uvp5l9$1ojua$1@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Don Y <blockedofcourse@foo.invalid>
Newsgroups: sci.electronics.design
Subject: Re: Re:Predictive failures
Date: Wed, 17 Apr 2024 11:50:07 -0700
Organization: A noiseless patient Spider
Lines: 201
Message-ID: <uvp5l9$1ojua$1@dont-email.me>
References: <uvjn74$d54b$1@dont-email.me> <uvjobr$dfi2$1@dont-email.me>
<uvkn71$ngqi$2@dont-email.me>
<uvkrig$30nb$1@nnrp.usenet.blueworldhosting.com>
<uvl2gr$phap$2@dont-email.me> <uvm7f5$pvu$1@nnrp.usenet.blueworldhosting.com>
<uvmaet$1231i$2@dont-email.me>
<uvmca4$up7$1@nnrp.usenet.blueworldhosting.com>
<uvmjmt$140d2$1@dont-email.me>
<uvmkco$2fih$1@nnrp.usenet.blueworldhosting.com>
<uvmqve$15hl7$2@dont-email.me>
<uvmthn$bjm$1@nnrp.usenet.blueworldhosting.com>
<uvn7lm$17so6$2@dont-email.me>
<uvn96o$2o0t$1@nnrp.usenet.blueworldhosting.com>
<uvnf00$1cu2a$1@dont-email.me>
<uvnio7$eac$1@nnrp.usenet.blueworldhosting.com>
<uvnlr6$1e3fi$1@dont-email.me>
<uvnnbd$30q6$1@nnrp.usenet.blueworldhosting.com>
<uvnqg7$1f0pl$1@dont-email.me>
<uvp23k$1png$1@nnrp.usenet.blueworldhosting.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 17 Apr 2024 20:50:19 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="2b43e3ad6cfda17a11cedcbd329c2ac9";
logging-data="1855434"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/RRTP/9BfvEvD8Enpip0aA"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.2.2
Cancel-Lock: sha1:7ozWDxqUT06vIJvO0QQ5sLe/pps=
Content-Language: en-US
In-Reply-To: <uvp23k$1png$1@nnrp.usenet.blueworldhosting.com>
Bytes: 12052
On 4/17/2024 10:49 AM, Edward Rawde wrote:
>>> You could ping me if you knew my IP address.
>>
>> You can't see me, at all. You have to know the right sequence of packets
>> (connection attempts) to throw at me before I will "wake up" and respond
>> to the *final*/correct one. And, while doing so, will continue to
>> ignore *other* attempts to contact me. So, even if you could see that
>> I had started to respond, you couldn't "get my attention".
>
> I've never bothered with port knocking.
> Those of us with inbound connectable web servers, database servers, email
> servers etc have to be connectable by more conventional means.
As with installing updates and other "maintenance issues", I have
no desire to add to my workload. I want to spend my time *designing*
things.
I run the server to save me time handling requests from colleagues for
source code releases. This lets them access the repository and
pull whatever versions they want without me having to get them and
send them. Otherwise, they gripe about my weird working hours, etc.
(and I gripe about their poorly timed requests for STATIC resources)
There is some overhead to their initial connection to the server
as the script has to take into account that packets aren't delivered
instantly and retransmissions can cause a connection attempt to be
delayed -- so, *I* might not see it when they think I am.
But, once the connection is allowed, there is no additional
overhead or special protocols required.
>>>>> I wouldn't bother. I'd just not connect it to wifi or wired if I
>>>>> thought
>>>>> there was a risk.
>>>
>>> What I mean by that is I'd clean it without it being connected.
>>> The Avira boot CD used to be useful but I forget how many years ago.
>>
>> If you were to unplug any of the above mentioned ("house") drops,
>> you'd find nothing at the other end. Each physical link is an
>> encrypted tunnel that similarly "hides" until (and unless) properly
>> tickled. As a result, eavesdropping on the connection doesn't
>> "give" you anything (because it's immune from replay attacks and
>> it's content is opaque to you)
>
> I'm surprised you get anything done with all the tickle processes you must
> need before anything works.
I wouldn't "unplug any of the above mentioned drops". I'd let them connect
using their native protocols. This is already baked into the code so "costs"
nothing.
The hiding prevents an adversary from cutting an exposed (e.g., outside the
house) cable and trying to interfere with the system. Just like an adversary
on a factory floor could find a convenient, out-of-the-way place to access the
fabric with malevolent intent. Or, a guest in a hotel. Or, a passenger
on an aircraft/ship. Or, a CAN node in an automobile (!).
>> They should be secure from the threats they are LIKELY TO FACE.
>> If the only access to my devices is by gaining physical entry
>> to the premises, then why waste CPU cycles and man-hours protecting
>> against a threat that can't manifest? Each box has a password...
>> pasted on the outer skin of the box (for any intruder to read).
>
> Sounds like you are the the only user of your devices.
I'm a "development lab". I want to spend my time using my tools to
create new products. I don't want to bear the overhead of trying to
keep up with patches for 0-day exploits just to be able to USE those
tools. I am more than willing to trade the hassle of walking
down the hall to another computer (this one) to access my email.
And, if I DL a research paper, copying it onto a thumb drive to
SneakerNet it back to my office. To me, that's a HUGE productivity
increase!
> Consider a small business.
> Here you want a minimum of either two LANs or VLANs so that guest access to
> wireless can't connect to your own LAN devices.
> Your own LAN should have devices which are patched and have proper
> identification so that even if you do get a compromised device on your own
> LAN it's not likely to spread to other devices.
The house network effectively implements a VLAN per drop. My OS only lets
"things" talk to other things that they've been preconfigured to talk to.
So, I can configure the drop in the guest bedroom to access the ISP.
Or, one of the radios in the ceiling to do similarly. If I later decide that
I want to plug a TV into that guest bedroom drop, then the ISP access is
"unwired" from that drop and access to the media server wired in its place.
And, KNOW that there is no way that any of the traffic on either of those
tunnels can *see* (or access) any of the other traffic flowing through the
switch. The switch is the source of all physical security as you have
to be able to convince it to allow your traffic to go *anywhere* (and WHERE).
[So, the switch is in a protected location AND has the hardware
mechanisms that let me add new devices to the fabric -- by installing
site-specific "secrets" over a secure connection]
Because a factory floor would need the ability to "dial out" from a
drop ON the floor (or WiFi) without risking compromise to any of
the machines that are concurrently using that same fabric.
Imagine having a firewall ENCASING that connection so it can't see *anything*
besides the ISP. (and, imagine that firewall not needing any particular rules
governing the traffic that it allows as it's an encrypted tunnel letting
NOTHING through)
> You might also want a firewall which is monitored remotely by somone who
> knows how to spot anything unusual.
> I have much written in python which tells me whether I want a closer look at
> the firewall log or not.
Yet another activity I don't have to worry about. Sit in the guest bedroom
and you're effectively directly connected to The Internet. If your machine
is vulnerable (because of measures YOU failed to take), then YOUR machine
is at risk. Not any of the other devices sharing that fabric. You can get
infected while sitting there and I'm still safe.
My "labor costs" are fixed and don't increase, regardless of the number
of devices and threats that I may encounter. No need for IT staff to handle
the "exposed" guests -- that's THEIR problem.
>> Do I *care* about the latest MS release? (ANS: No)
>> Do I care about the security patches for it? (No)
>> Can I still do MY work with MY tools? (Yes)
>
> But only for your situation.
> If I advised a small business to run like that they'd get someone else to do
> it.
And they would forever be "TAXED" for their choice. Folks are starting
to notice that updates often don't give them anything that is worth the
risk/cost of the update. Especially if that requires/entices them to have
that host routed!
My colleagues have begrudgingly adopted a similar "unrouted development
network" for their shops. The savings in IT-related activities are
enormous. And, they sleep more soundly knowing the only threats
they have to worry about are physical break-in and equipment
failure.
You want to check your email? Take your phone out of your pocket...
Need to do some on-line work (e.g., chasing down research papers
or browsing a remote repository)? Then move to an "exposed"
workstation FOR THAT TASK.
[Imagine if businesses required their employees to move to such
a workstation to browse YouTube videos or check their facebook
page! "Gee, you're spending an awful lot of time 'on-line',
today, Bob... Have you finished that DESIGN, yet?"]
>> I have to activate an iPhone, tonight. So, drag out a laptop
>> (I have 7 of them), install the latest iTunes. Do the required
>> song and dance to get the phone running. Wipe the laptop's
>> disk and reinstall the image that was present, there, minutes
>> earlier (so, I don't care WHICH laptop I use!)
>
> You'll have to excuse me for laughing at that.
> Cybersecurity is certainly a very interesting subject, and thanks for the
> discussion.
> If I open one of the wordy cybersecurity books I have (pdf) at a random page
========== REMAINDER OF ARTICLE TRUNCATED ==========